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(57) In one embodiment, an apparatus includes a 
first integrated processor, a second integrated proces- 
sor, and a security processor. The first integrated proc- 
essor has one or more network interfaces for receiving 
packets and also has a second interface. The second 
integrated processor is coupled to the second interface. 
A security processor is coupled to the second integrated 
processor. Also, a storage switch is contemplated em- 



ploying one or more line cards which include the appa- 
ratus. The storage switch further includes at least one 
switch fabric card coupled to the at least one line card, 
wherein the switch fabric card is configured to route 
packets from the at least one line card and from one or 
more storage devices on a switch fabric. In another em- 
bodiment, the integrated processors maybe systems on 
a chip (SOCs). 
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Description 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

[0001] This invention is related to the field of packet 
processing systems and handling encrypted and non- 
encrypted packet traffic such systems, and also to the 
field of networked devices such as network storage de- 
vices. 

2. Description of the Related Art 

[0002] Various computing systems and related devic- 
es are becoming increasingly networked. While compu- 
ter systems (e.g. personal computers, or PCs, servers, 
etc.) have been networked for sometime, other devices 
have recently been networked as well. For example, 
storage systems are being networked in various ways 
such as storage area networks (SANs) implemented us- 
ing various protocols (e.g. Fiber Channel over Internet 
Protocol (FCIP) or Small Computer Systems Interface 
over TCP/IP (iSCSI)) or network attached storage 
(NAS). Such storage solutions include storage devices 
and circuitry to communicate using various network pro- 
tocols such as Transport Control Protocol/Internet Pro- 
tocol (TCP/IP). 

[0003] While networking is becoming more ubiqui- 
tous, it is also a rapidly changing field with new stand- 
ards being developed and older standards being modi- 
fied. Additionally, as publicly available networks such as 
the Internet are increasingly being used as part of the 
network, encryption of networked traffic is becoming 
more prevalent. Accordingly, networked computer sys- 
tems and storage devices may be required to handle 
both encrypted and non-encrypted network traffic. 

SUMMARY OF THE INVENTiON 

[0004] In one embodiment, an apparatus includes a 
first integrated processor, a second integrated proces- 
sor, and a security processor. The first integrated proc- 
essor has one or more network interfaces for receiving 
packets and also has a second interface. The second 
integrated processor is coupled to the second interface. 
A security processor is coupled to the second integrated 
processor. Also, a storage switch is contemplated em- 
ploying one or more line cards (or "blades") which in- 
clude the apparatus. The storage switch further includes 
at least one switch fabric card coupled to the at least 
one line card, wherein the switch fabric card is config- 
ured to route packets from the at least one line card and 
from one or more storage devices on a switch fabric. 
[0005] In another embodiment, an apparatus includes 
a first system on a chip (SOC), a second SOC, and a 
security processor. The first SOC includes one or more 
network interface circuits, a second interface circuit, and 



at least a first processor. The first processor is pro- 
grammed, during use, to process unencrypted packets 
received on the one or more network interface circuits. 
Additionally, the first processor is programmed, during 

5 use, to detect encrypted packets received on the one or 
more network interface circuits and to route the encrypt- 
ed packets to the second interface circuit. The second 
SOC includes the second interface circuit coupled to the 
second interface circuit of the first SOC. Additionally, the 

10 second SOC includes at least a second processor and 
one or more network interface circuits configurable as 
a packet interface. The security processor is coupled to 
the packet interface, wherein the second processor is 
programmed, during use, to decrypt encrypted packets 

15 in cooperation with the security processor. 

BRiEF DESCRIPTION OF THE DRAWiNGS 

[0006] The following detailed description makes ref- 
20 erence to the accompanying drawings, which are now 
briefly described. 



Fig. 1 is a block diagram of one embodiment of a 
storage switch. 

25 

Fig. 2 is a block diagram of one embodiment of a 
circuitry for processing a mix of encrypted and un- 
encrypted network traffic. 

30 Fig. 3 is a flowchart illustrating operation of one em- 
bodiment of a first integrated processor/SOC 
shown in Fig. 2 in response to receiving a packet. 

Fig. 4 is a flowchart illustrating operation of one em- 
35 bodiment of a second integrated processor/SOC 
shown in Fig. 2 in responseto receiving an incoming 
packet from the first integrated processor/SOC. 

Fig. 5 is a flowchart illustrating operation of one em- 
40 bodiment of the second integrated processor/SOC 
in response to receiving a decrypted incoming 
packet from a security processor shown in Fig. 2. 

Fig. 6 is a flowchart illustrating operation of one em- 
45 bodiment of the second integrated processor/SOC 
in response to receiving an outgoing packet. 

Fig. 7 is a flowchart illustrating operation of one em- 
bodiment of the second integrated processor/SOC 
50 in response to receiving an encrypted outgoing 
packet from the security processor. 

Fig. 8 is a block diagram of one embodiment of an 
integrated processor/SOC. 

55 

Fig. 9 is a block diagram illustrating one embodi- 
ment of encrypted packets. 
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[0007] While the invention is susceptible to various 
modifications and alternative forms, specific embodi- 
ments thereof are shown by way of example in the draw- 
ings and will herein be described in detail. It should be 
understood, however, that the drawings and detailed de- 
scription thereto are not intended to limit the invention 
to the particular form disclosed, but on the contrary, the 
intention is to cover all modifications, equivalents and 
alternatives falling within the spirit and scope of the 
present invention as defined by the appended claims. 

DETAILED DESCRIPTION OF EMBODIMENTS 

[0008] Turning now to Fig. 1 , a block diagram of one 
embodiment of a storage switch 1 0 is shown. Other em- 
bodiments are possible and contemplated. In the em- 
bodiment of Fig. 1 , the storage switch 1 0 includes one 
or more networl< line cards (e.g. the network line cards 
12A-12C in Fig. 1), one or more switch fabric cards (e. 
g. the switch fabric card 14 in Fig. 1), and one or more 
storage line cards (e.g. the storage line card 18 in Fig. 
1 ). The storage switch 1 0 may be coupled to one or more 
network ports. The network ports may support any net- 
work protocol in various embodiments (e.g. Ethernet, 
asynchronous transfer mode (ATIVI), synchronous opti- 
cal network (SONET), etc.). Specifically, the network 
line cards 1 2A-1 2C may each be used to couple to one 
or more network ports. The network line cards 1 2A-1 2C 
are also coupled, via a switch fabric, to the switch fabric 
card 14, which is further coupled through the storage 
line card 1 8 to a set of storage devices 1 6A-1 6C. 
[0009] Generally, the storage switch 1 0 is coupled to 
receive storage request packets from various devices 
via the network ports, and to route the storage requests 
to the storage devices 1 6A-1 6C. Furthermore, the stor- 
age switch 1 0 may route the response packets from the 
storage devices 1 6A-1 6C back to the requesting devic- 
es on the network ports. The storage request packets 
and/or response packets may, in some cases, be en- 
crypted and/or authenticated. For example, in one em- 
bodiment, encryption and/or authentication may be ac- 
complished according to the IPsec standard set forth by 
the Internet Engineering Task Force (IETF) IPsec spec- 
ification (RFC 2406 and RFC 2402). For example, the 
network ports which lead to transmission on the Internet 
may be encrypted to protect the data from observation 
by third parties while in transit and/or authenticated to 
verify the source and receiver of the data. If the data is 
to be routed on a network in a secure environment, en- 
cryption and/or authentication may not be used if de- 
sired. For example, ports which lead to transmission 
within the same building as the storage switch 10 and 
the storage devices 1 6A-1 60 may not be encrypted/au- 
thenticated if the building is physically secure (e.g. only 
authorized persons are allowed to enter the building). 
[0010] The storage switch 10 may be configured for 
any type of storage. In one embodiment, the storage 
switch 10 may bean iSCS I switch. Thus, the packet traf- 



fic switched by the storage switch 10 may be TCP/IP 
packets containing SCSI commands and responses. In 
other embodiments, the storage switch 10 may be a 
storage area network (SAN) or network attached stor- 
5 age (NAS) switch. In still other embodiments, the stor- 
age switch 10 may be a switch for SCSI storage, IDE 
storage, or any other type of storage (e.g. Fibre Chan- 
nel, Serial ATA, etc.). 

[0011] The network line cards 12A-12C may generally 
10 provide the network connections for the storage switch 

1 0. As used herein, a network line card is any collection 
of circuitry which provides one or more network interfac- 
es for sending/receiving network traffic and the circuitry 
for processing traffic received on and transmitted on the 
15 interfaces. The circuitry may be arranged (e.g. on a 
printed circuit card or other supporting/interconnecting 
medium) to be inserted into a connector within the stor- 
age switch 1 0. 

[0012] In the embodiment of Fig. 1 , the network line 

20 cards 12A-12C may receive packets on the network 
ports, may process the packets (including optionally de- 
crypting the packets if the packets are encrypted) and 
may transmit the packets to the switch fabric card 1 4 for 
routing to the destination storage device 16A-16C. Ad- 

25 ditionally, the network line cards 12A-12C may receive 
response packets from the switch fabric card 14, proc- 
ess the packets (including optionally encrypting the 
packets) and may transmit the packets on the appropri- 
ate network port. 

30 [0013] The storage line card 18 may generally provide 
the storage interfaces from the storage switch 1 0 to the 
storage devices 16A-16C. One or more storage line 
cards 1 8 may be included to interface to different types 
of storage, or to provide multiple interfaces of a given 

35 type. The storage line card 18 may support any sort of 
storage interface, including any of the examples men- 
tioned above. In some cases (e.g. interfacing to a NAS 
or SAN subsystem), the storage line card 18 may supply 
network ports (e.g. the storage line card 18 may be a 

40 network line card similarto network line cards 12A-12C). 
[0014] The switch fabric card 14 includes circuitry 
which is used to switch packets from sources to desti- 
nations on the switch fabric that interconnects the net- 
work line cards 12A-12C and the storage devices 16A- 

45 1 6C. The switch fabric may include any communications 
medium. For example, between the network line cards 
1 2A-1 2C and the switch fabric card 1 4 and between the 
storage line card 1 8 and the switch fabric card 1 4, inter- 
faces such as SPI-4, Universal Test and Operations 

50 Physical Interface for ATM (UTOPIA) fabric, a common 
switch interface (OS IX) fabric, etc. may be used. The 
switch fabric card 14 may include various switch mech- 
anisms (e.g. cross bars, point to point interfaces, mesh- 
es, cubes, etc.). 

55 [0015] The storage devices 16A-16C may be any type 
of storage device (i.e. any type of device which may 
store data for later retrieval). For example, the storage 
devices 16A-1 60 may include fixed disk drives (e.g. SC- 
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SI drives, IDE drives, etc.), compact disc read only 
memory (CD-ROM) drives, writeable and/or rewriteable 
CD drives, digital versatile disl< (DVD) drives, removable 
disk drives, etc. The storage devices 1 6A-1 6C may also 
include network attached storage (NAS) or storage area 
network (SAN) subsystems. 

[0016] Turning nowto Fig. 2, a block diagram illustrat- 
ing one embodiment of a circuit 20 for processing a mix 
of encrypted and unencrypted network traffic is shown. 
Other embodiments are possible and contemplated. In 
one implementation, the circuit 20 may be included on 
each of the network line cards 12A-12C shown in Fig 1 , 
However, the circuit 20 may generally be used in any 
system in which processing of both encrypted and un- 
encrypted network traffic is desired. In the embodiment 
of Fig. 2, the circuit 20 includes a first integrated proc- 
essor or system on a chip (SOC) 22A, a second inte- 
grated processor/SOC 22B, a security processor 24, a 
first memory 26A coupled to the first integrated proces- 
sor/SOC 22A, a second memory 26B coupled to the 
second integrated processor 22B, and a field program- 
mable gate array (FPGA) 28. The first integrated proc- 
essor/SOC 22A includes circuitry for providing a set of 
network ports (e.g. three network ports, in the illustrated 
embodiment, although the number of network ports may 
vary from as few as one to as many as desired) and also 
includes an interface to which the second integrated 
processor/SOC 228 is coupled. In the illustrated em- 
bodiment, the interface is the HyperTransport™ inter- 
face, although any interface may be used in other em- 
bodiments. The second integrated processor/SOC 22B 
further includes a pair of packet interfaces to which the 
security processor 24 and the FPGA 28 are coupled. 
The FPGA 28 is further coupled to a switching interface 
(e.g. an interface within the switch fabric managed by 
the switch fabric card 1 4 or managed by the integrated 
processor/SOC 228 in the embodiment of Fig. 1). 
[0017] In one embodiment, one or both of the integrat- 
ed process© r/SOCs 22A-22B may be integrated proc- 
essors. As used herein, an integrated processor in- 
cludes processor circuitry (circuitry for executing in- 
structions defined in a processor instruction set archi- 
tecture) as well as at least one non-processor circuit in- 
tegrated onto a single integrated circuit substrate (or 
"chip"). Alternatively, one or both of the integrated proc- 
essor/SOCs 22A-22B may be a "system on a chip". As 
used herein, a system on a chip includes at least: one 
or more processors, a memory controller, and one or 
more input/output (I/O) interfaces (e.g. the network 
ports, the HyperTransporfr"^ interface, generic packet 
interfaces, etc.). The SOC may optionally include cach- 
es and other circuitry integrated as well. For the remain- 
der of this description, the integrated processor/SOCs 
22A-22B will be referred to as integrated processors, 
However, it is understood that either or both may be an 
SOC in other embodiments. In some embodiments, the 
integrated processor/SOC 228 may integrate the secu- 
rity processor 24 as well. 



[0018] The first integrated processor 22A is coupled 
to receive packets on the network ports coupled thereto. 
The received packets may be either encrypted or unen- 
crypted. The first integrated processor22A may process 

5 the unencrypted packets and may forward the proc- 
essed packets through second integrated processor 
228 to the switching interface. The first integrated proc- 
essor 22A may pass the encrypted packets to the sec- 
ond integrated processor 22B, which may process the 

10 encrypted packets in cooperation with the security proc- 
essor 24 and may transmit the decrypted packets on to 
the switching interface. Additionally, the second inte- 
grated processor 22B is coupled to receive packets from 
the switching interface, and may optionally encrypt the 

15 packets and transmit the packets to the first integrated 
processor 22A for transmission on the appropriate net- 
work port. 

[001 9] The circuitry 20 is programmable (e.g. both the 
integrated processors 22A-22B are programmable). 

20 Thus, the circuitry 20 may provide a programmable se- 
cure packet processing solution. Since at least some of 
the packet processing may be handled in software in- 
structions executed on the integrated processors 22A- 
228, the circuitry 20 may maintain compatibility with the 

25 iPsec standards (or other security standards) as those 
standards are modified overtime by upgrading the soft- 
ware executed by the circuitry 20. Similarly, the circuitry 
20 may be programmed for new standards that may be 
released after the circuitry 20 is placed in service. The 

30 circuitry 20 may also support standards that include se- 
curity (e.g. the iSCSI standard). 

[0020] Generally, as used herein, a security proces- 
sor is any circuitry designed to perfonn one or more as- 
pects of secure packet processing. For example, in the 

35 present embodiment, the security processor 24 may be 
designed to decrypt encrypted packets and to encrypt 
non-encrypted packets. In one specific embodiment, the 
security processor 24 may be designed to perform en- 
cryption/decryption and authentication of packets ac- 

40 cording to the IPsec specification. Any of a variety of 
encryption and/or authentication algorithms may be 
supported, e.g. as per the above mentioned RFCs. 
[0021] In one implementation, the security processor 
24 may include a security association (SA) cache 30 and 

^5 an encryption/decryption engine 32. The SA cache 30 
may be configured to store various security association 
parameters for use in decrypting/encrypting packets. 
The SA cache 30 may be programmable from the inte- 
grated processor 22B via commands over the packet 

50 interface. The security associations stored in the SA 
cache 30 may be read from a security association da- 
tabase (SAD) 34 stored in the memory 26B, which may 
also be storing a security policy database (SPD) 36. The 
encryption/decryption engine 32 includes the circuitry 

55 for performing encryption and decryption (and/or au- 
thentication) in response to a given security association 
and packet. In one particular implementation, the secu- 
rity processor 24 may comprise the 8CIVI5840 available 
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from Broadcom Corporation. 

[0022] As defined in the I Psec specification, a security 
association is a simplex connection between a source 
and a destination for wliicli various security protocols 
may be applied to tlie communication from the source 
to the destination. For example, the I Psec specification 
currently includes an authentication header (AH) proto- 
col that provides authentication and an encapsulating 
security payload (ESP) protocol that provides for both 
authentication and encryption. The security association 
may include one or the other of the AH or ESP protocols. 
The SAD 34 may be a database of parameters corre- 
sponding to active security associations, a subset of 
which may be cached in the SA cache 30. The param- 
eters may include a variety of information used in main- 
taining the security association and used in the under- 
lying protocols (e.g. a sequence number, an overflow 
flag for the sequence number, an indicator of the au- 
thentication algorithm and any cryptographic keys (e.g. 
public or private keys) used in the authentication algo- 
rithm, an indication of the encryption algorithm and any 
cryptographic keys used in the encryption algorithm, a 
lifetime value indicating how long the security associa- 
tion is valid, the protocol mode such as tunnel , transport, 
etc., etc.). The SPD 36 may be used to map various 
packets to a security policy, which may include one or 
more of the security associations in the SAD 34 (or to 
indicate that the packet bypasses I Psec) as well as other 
security features such as the types of communications 
permitted, which devices communication is permitted 
with, etc. Various values may be used in the security 
policies (e.g. source and/or destination IP addresses, 
name, data sensitivity level, transport layer protocol, 
source and/or destination ports (e.g. UDP or TCP ports), 
etc.) to identify which security policy is to be used for a 
given packet. 

[0023] While the above description (and the example 
shown in the flowcharts below) refers to the first inte- 
grated processor 22A performing the protocol process- 
ing of unencrypted packets and the second integrated 
processor 22B performing the protocol processing of 
encrypted packets, other embodiments may share the 
protocol processing of unencrypted packets and/or en- 
crypted packets between the two integrated processors, 
if desired. 

[0024] The SAD 34 and the SPD 36 may be examples 
of security databases. As used herein, a security data- 
base may be any database storing infonnation used to 
provide secure packet transport. 
[0025] In the illustrated embodiment, the FPGA 28 is 
used to translate the packet interface from the integrat- 
ed processor 22B to the switching interface. The FPGA 
28 is an optional component which may not be used, e. 
g. , if the integrated processor 22B directly supports the 
switching interface employed in a given embodiment. 
Alternatively, any other circuitry may be used for trans- 
lating from an interface supported by the integrated 
processor 22B to the switching interface. 



[0026] It is noted that, while packet interfaces are 
used between the FPGA 28 and the second integrated 
processor 22B and between the security processor and 
the second integrated processor 22B, in other embodi- 
5 ments any interface may be used. As used herein, a 
packet interface refers to any interface which supports 
the transmission of packets directly thereon. 
[0027] Turning next to Figs. 3-7, a set of flowcharts 
are shown illustrating various operations of one embod- 
10 imentof the integrated processors 22A-22Bfor process- 
ing packets. More particularly, the flowcharts of Figs. 3-7 
may represent the operation of integrated processors 
22A-22B when executing sets of instructions pro- 
grammed for the integrated processors. The sets of in- 
15 structions may be stored on any suitable computer read- 
able medium. For example, the instructions may be in 
the memories 26A-26B (depending on which integrated 
processor 22A-22B is to execute the instructions). Al- 
ternatively, the instructions may be stored on any medi- 
co um (e.g. a ROM or other storage device) coupled to be 
accessed by the integrated processor 22A-22B. 
[0028] Fig. 3 is a flowchart illustrating operation of one 
embodiment of the first integrated processor 22A in re- 
sponse to receiving a packet on one of the network 
25 ports. Other embodiments are possible and contemplat- 
ed. While the blocks are shown in a particular order for 
ease of understanding, other orders may be used as de- 
sired. 

[0029] The first integrated processor 22A examines 
30 the received packet to determine if the packet is encrypt- 
ed (decision block 40). The determination of whether a 
packet is encrypted or not may vary depending on the 
security protocols being used. For the IPsec standard, 
the protocol header of the packet which precedes the 
35 security header specified for the ESP or AH protocols 
includes a value of 50 in its protocol field (IPv4) or its 
next header field (IPv6) to indicate ESP or a value of 51 
to indicate AH. If either of these protocols is selected, 
the first integrated processor 22A may assume the 
40 packet is encrypted (and/or requires authentication 
processing). Alternatively, the first integrated processor 
22A may have access to the SAD 34, and may lookup 
the security association for the packet to determine if 
the packet is encrypted. Any mechanism for determining 
45 if the packet is encrypted may be used. 

[0030] If the packet is encrypted (and/or authenticat- 
ed), the first integrated processor 22A transmits the 
packet to the second integrated processor 22B for de- 
cryption and further processing (block 42). On the other 
50 hand, if the packet is not encrypted, the first integrated 
processor 22A may perform protocol processing on the 
packet and may transmit the processed packet to the 
second integrated processor 22B for transmission on 
the switch fabric (block 44). The protocol processing 
55 may include, for example, determining the target of the 
packet on the switch fabric (e.g. a storage device in the 
embodiment of Fig. 1) and transmitting information to 
the switch fabric card indicating the target for routing of 
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the packet to the target. The memory 26A may include 
various databases which may be used in the protocol 
processing (e.g. databases mapping IP addresses to 
switch fabric addresses or other routing information). 
[0031] Turning now to Fig. 4, a flowchart is shown il- 
lustrating operation of one embodiment of the second 
integrated processor 22B in response to receiving an 
incoming (encrypted) pacl<et from the first integrated 
processor 22A. Other embodiments are possible and 
contemplated. While the blocks are shown in a particular 
order for ease of understanding, other orders may be 
used as desired, 

[0032] The second integrated processor 22B may use 
various information from the incoming packet to lookup 
a security association in the SAD 34 corresponding to 
the packet (block 50). Depending on the security proto- 
col, various information may be used. In one embodi- 
ment employing the IPsec standard, the packet may in- 
clude an indication of the security protocol being used 
(e.g. AH or ESP), a security parameter index (SPI) in- 
cluded in the security header, and an IP destination ad- 
dress (in the IP header). These three values maybe 
used to identify a security association, and thus an entry 
in the SAD 34. 

[0033] Among other things, the SAD entry may in- 
clude an indication of whether or not the parameters in 
the entry are cached in the SA cache 30 of the security 
processor 24. If the parameters are cached, the SAD 
entry may further include a value identifying the entry in 
theSAcache (referred to as the SA handle herein). Gen- 
erally, the second integrated processor 22B may encap- 
sulate the incoming packet with: (i) a control word indi- 
cating the control fields that follow, and (ii) the control 
fields. In particular, the control fields may include the se- 
curity association parameters (cryptographic keys, en- 
cryption algorithms used, etc.) if the security association 
is not cached in the SA cache, or the SA handle if the 
security association is cached in the SA cache. 
[0034] The second integrated processor 22 B may ex- 
amine the indication to determine if the security associ- 
ation is cached in the SA cache (decision block 52). If 
so, the second integrated processor 228 may encapsu- 
late the incoming packet with: (i) a control word indicat- 
ingthatan SA handle is included, and (ii) the SA handle, 
The second integrated processor 22B may transmit the 
encapsulated packet to the security processor 24 (block 
54). If the indication indicates that the security associa- 
tion is not cached in theSAcache, the second integrated 
processor 22B may encapsulate the incoming packet 
with: (i) a control word indicating that the SA parameters 
are included, and (ii) the SA parameters ("SA data" in 
Fig. 4). The second integrated processor 22B may 
transmit the encapsulated packet to the security proc- 
essor 24 (block 56). 

[0035] Oncethe security processor 24 has completed 
processing the packet (decrypting the packet and/or au- 
thenticating the packet according to the AH or ESP pro- 
tocol used for the packet), the security processor 24 re- 



turns the decrypted incoming packet to the second in- 
tegrated processor 22B. Fig. 5 is a flowchart illustrating 
operation of one embodiment of the second integrated 
processor 22B in response to receiving a decrypted in- 
5 coming packet from the security processor 24. Other 
embodiments are possible and contemplated. While the 
blocks are shown in a particular order for ease of under- 
standing, other orders may be used as desired. 
[0036] The security processor 24 may encapsulate 
the decrypted packet with a control word and various 
control fields, similar to encapsulation of packets trans- 
mitted to the security processor 24. For example, the 
security processor 24 may return packet status indicat- 
ing whether or not an error was detected in the packet, 
whether or not the packet has been dropped, etc. The 
second integrated processor 22B may decapsulate the 
packet (block 60). In one embodiment, the second inte- 
grated processor22B check for errors in the status from 
the security processor (decision block 68). If errors are 
detected (processing errors, an indication to drop the 
packet, etc.), the second integrated processor 22B may 
drop the packet or otherwise respond to the error (not 
shown in Fig. 5). If no errors were detected, the second 
integrated processor 22B may optionally update the 
SAD 34, depending on the contents thereof and the re- 
sult of the processing by the security processor 24 
(block 62). 

[0037] The second integrated processor 22 B may al- 
so lookup the security policy or policies corresponding 
to the packet in the SPD 36 to verify that the packet is 
permitted to pass to the switch fabric by the security pol- 
icies (decision block 64). If so, the second integrated 
processor may perform protocol processing on the de- 
crypted packet (similar to the description of the first in- 
tegrated processor 22A above with respect to Fig. 3) 
and may route the decrypted packet onto the switch fab- 
ric (block 66). On the other hand, if the packet is not 
permitted according to the security policies, the packet 
may be dropped (i.e. the second integrated processor 
22B may take no further action with the packet). 
[0038] As mentioned above, the second integrated 
processor 22B may also receive packets from the switch 
fabric to be transmitted on one of the network ports of 
the first integrated processor 22A ("outgoing packets"). 
Fig. 6 is a flowchart illustrating operation of one embod- 
iment of the second integrated processor 22B in re- 
sponse to receiving an outgoing packet from the switch 
fabric. Other embodiments are possible and contem- 
plated. While the blocks are shown in a particular order 
for ease of understanding, other orders may be used as 
desired. 

[0039] The second integrated processor 22 B may 
perform a lookup in the SPD 36 for the outgoing packet 
(block 70). The second integrated processor 22B may 
determine, from the SPD lookup, whether or not the out- 
going packet is to be encrypted (or authenticated) or 
whether the packet bypasses the security protocols (e. 
g. if the packet is being transmitted in a secure network). 
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If the packet is not to be encrypted (or authenticated) 
(decision block 72, "no" leg), the second integrated 
processor 22B transmits the outgoing packet to the first 
integrated processor 22A (block 74). 
[0040] On the other hand, if the packet is to be en- 
crypted/authenticated (decision block 72, "yes" leg), the 
second integrated processor 22B nnay insert the secu- 
rity headers for the selected security protocol (e.g. ESP 
headers or AH headers, for IPsec inriplementations) 
(block 76). Additionally, the second integrated proces- 
sor 22B may lookup the security association for the 
packet in the SAD 34 (block 78), If the security associ- 
ation parameters are cached in the SA cache 30 (deci- 
sion block 80, "yes" leg), the second integrated proces- 
sor 22B may encapsulate the outgoing packet with: (i) 
a control word indicating that the SA handle is included, 
and (ii) the SA handle. The second integrated processor 
22B may transmit the encapsulated packet to the secu- 
rity processor 24 (block 82). On the other hand, if the 
security association parameters are not cached in the 
SA cache 30 (decision block 80, "no" leg), the second 
integrated processor 22B may encapsulatethe outgoing 
packet with: (i) a control word indicating that the SA pa- 
rameters are included, and (ii) the SA parameters (SA 
data in Fig. 6). The second integrated processor 22B 
may transmit the encapsulated packet to the security 
processor 24 (block 84). 

[0041] Once the security processor24 has completed 
encrypting/authenticating the outgoing packet, the se- 
curity processor 24 may return the encrypted outgoing 
packet to the second integrated processor 22B. Fig. 7 
is a flowchart illustrating operation of one embodiment 
of the second integrated processor 22B in response to 
receiving an encrypted outgoing packet from the secu- 
rity processor 24. Other embodiments are possible and 
contemplated. While the blocks are shown in a particular 
order for ease of understanding, other orders may be 
used as desired. 

[0042] The second integrated processor 22B may de- 
capsulate the encrypted outgoing packet from the secu- 
rity processor (block 90) and may check for any errors 
reported by the security processor (decision block 96). 
Assuming no errors have occurred, the second integrat- 
ed processor 22B may transmit the encrypted outgoing 
packet to the first integrated processor 22A for routing 
on one of the network ports (block 92). Additionally, the 
second integrated processor 22B may optionally update 
the SAD 34 (block 94). For example, a sequence 
number may be assigned to the outgoing packet. The 
SAD 34 may be updated with the sequence number, so 
that the next higher sequence number may be assigned 
to the next outgoing packet that uses the same security 
association. If errors have occurred, the second inte- 
grated processor 22B may drop the packet or otherwise 
response to the errors (not shown in Fig. 7). 
[0043] While some of the above embodiments have 
included the possibility of both encryption and authenti- 
cation (or one or the other) in the security processor 24, 



other embodiments are contemplated in which only en- 
cryption or only authentication are handled in the secu- 
rity processor 24. 

[0044] Turning now to Fig. 8, a block diagram of one 
5 embodiment of a system 1 00 is shown. Other embodi- 
ments are possible and contemplated. In one embodi- 
ment, the system 1 00 may be used as an SOC for either 
of the first SOC 22A or the second SOC 22B, or both. 
In the embodiment of Fig. 8, the system 100 includes 
10 processors 112A-112B, an L2 cache 114, a memory 
controller 11 6, a pair of input/output (I/O) bridges 1 20A- 
120B, and various I/O interface circuits 122A-122I. The 
system 100 may include a bus 124 for interconnecting 
the various components of the system 100. As illustrat- 
15 ed in Fig. 8, each of the processors 112A-112B, the L2 
cache 1 1 4, the memory controller 1 1 6, and the I/O bridg- 
es 120A-120B are coupled to the bus 124. Thus, each 
of the processors 112A-112B, the L2 cache 114, the 
memory controller 116, and the I/O bridges 120A-120B 
20 may be an agent on the bus 124 for the illustrated em- 
bodiment. The I/O bridge 120A is coupled to the I/O in- 
terface circuits 1 22A-1 22B (specifically, in the illustrated 
embodiment, a Peripheral Component Interconnect 
(PCI) interface circuit 122A and a Hyp erTrans port™ 
25 (HT) interface circuit 1 22 B (where the HT interface was 
previously referred to as the Lightning Data Transport 
(LDT)™ interface), and the I/O bridge 120B is coupled 
to the I/O interface circuits 1 22C-1 221 (specifically, in the 
illustrated embodiment, three network interface circuits 
30 1 22C-122E, two serial interface circuits 122F-122G, a 
system management bus (SMBus) Interface circuit 
122H, and a Personal Computer Memory Card Interna- 
tional Association (PCMCIA) Interface circuit 1221). The 
L2 cache 114 is coupled to the memory controller 116, 
35 which is further coupled to a memory 26. 

[0045] The processors 112A-112B may be designed 
to any instruction set architecture, and may execute pro- 
grams written to that instruction set architecture. Exem- 
plary instruction set architectures may include the Ml- 
40 PS® instruction set architecture (including the MIPS- 
3D™ and MIPS MDMX"^"^ application specific exten- 
sions), the IA-32 or IA-64 instruction set architectures 
developed by Intel Corp., the PowerPC™ instruction set 
architecture, the Alpha instruction set architecture, the 
45 ARM instruction set architecture, or any other instruction 
set architecture. While the system 1 00 as shown in Fig, 
8 includes two processors, other embodiments may in- 
clude one processor or more than two processors, as 
desired. 

50 [0046] The L2 cache 114 is a high speed cache mem- 
ory. The L2 cache 114 is referred to as "L2" since the 
processors 112A-112B may employ Internal level 1 
("L1") caches. If LI caches are not included in the proc- 
essors 112A-112B, the L2 cache 114 may be an LI 
55 cache. Furthermore, if multiple levels of caching are in- 
cluded in the processors 112A-112B, the L2 cache 114 
may be an outer level cache than L2. 
[0047] While the L2 cache 114 is labeled L2 with re- 
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spectto it position in the processor cache hierarchy, the 
L2 cache 114 may actually service cacheable transac- 
tions fronn any device on the bus 124. Thus, the L2 
cache 1 1 4 may be viewed as part of a memory subsys- 
tem including the memory controller 1 1 6 (and the mem- 
ory 26 coupled thereto). If a cacheable read transaction 
hits in the L2 cache 114, even if the source of the read 
transaction is an I/O interface circuit 122A-122I, the L2 
cache 114 supplies the data for the read transaction. If 
a cacheable write transaction hits in the L2 cache 114, 
even if the source of the write transaction is an I/O in- 
terface circuit 1 22A-1 221, the L2 cache 1 1 4 updates with 
the data for the write transaction. 
[0048] The L2 cache 114 may employ any organiza- 
tion, including direct mapped, set associative, and fully 
associative organizations. In one particular implemen- 
tation, the L2 cache 1 1 4 may be a set associative cache 
having 32 byte cache blocks. A set associative cache is 
a cache arranged into multiple sets, each set comprising 
two or more entries. A portion of the address (the "in- 
dex") is usedto select one ofthesets (i.e. each encoding 
of the index selects a different set). The cache block 
storage locations in the selected set are eligible to store 
the cache block accessed by the address. Each of the 
cache block storage locations within the set is referred 
to as a "way" of the set. The portion of the address re- 
maining after removing the index (and the offset within 
the cache block) is referred to as the "tag", and is stored 
in each cache block storage location to identify the 
cache block in that entry. The stored tags are compared 
to the corresponding tag portion of the address of a 
memory transaction to determine if the memory trans- 
action hits or misses in the cache, and is used to select 
the way in which the hit is detected (if a hit is detected). 
[0049] The memory controller 1 1 6 is configured to ac- 
cess the memory 26 (which may be the memory 26A or 
26B shown in Fig. 2, in some embodiments) in response 
to memory transactions received on bus 1 24. The mem- 
ory controller 1 1 6 receives a hit signal from the L2 cache 
114, and if a hit is detected in the L2 cache 114 for a 
memory transaction , memory controller 1 1 6 does not re- 
spond to that memory transaction. Other embodiments 
may not include the L2 cache 1 1 4 and the memory con- 
troller 116 may respond to each memory transaction. If 
a miss is detected by the L2 cache 1 1 4, or the memory 
transaction is non-cacheable, the memory controller 
116 may access the memory 26 to perform the read or 
write operation. The memory controller 116 may be de- 
signed to access any of a variety of types of memory. 
For example, the memory controller 116 may be de- 
signed for synchronous dynamic random access mem- 
ory (SDRAM), and more particularly double data rate 
(DDR) SDRAM . Alternatively, the memory controller 1 1 6 
may be designed for DRAM, Rambus DRAM (RDRAM), 
SRAM, fast cycle RAM (FCRAM), reduced latency 
DRAM (RLDRAM), or any other suitable memory de- 
vice. 

[0050] The I/O bridges 120A-120B link one or more 1/ 



O interface circuits (e.g. the I/O interface circuits 122A- 
122B for the I/O bridge 120A and the I/O interface cir- 
cuits 122C-122I for I/O bridge 120B) to the bus 124. 
While I/O interface circuits are shown in Fig. 8, generally 

5 an I/O bridge 120A-120B may link one or more I/O in- 
terface circuits or I/O devices. The I/O bridges 120A- 
1 20B may serve to reduce the electrical loading on the 
bus 1 24 if more than one I/O interface circuit 1 22A-1 221 
is bridged by that I/O bridge. Generally, the I/O bridge 

10 1 20A performs transactions on the bus 1 24 on behalf of 
the I/O interface circuits 1 22A-1 22B and relays transac- 
tionstargeted atthe I/O interface circuit 122A-122Bfrom 
the bus 1 24 to that I/O interface circuit 1 22A-1 22B. Sim- 
ilarly, the I/O bridge 120B generally performs transac- 

15 tionsonthebus 124 on behalf of the I/O interface circuits 
1 22C-1 221 and relays transactions targeted at an I/O in- 
terface circuit 122C-122I from the bus 124 to that I/O 
interface circuit 1220-1221. 

[0051] The PCI interface circuit 1 22A may be a circuit 
20 for interfacing to the PCI bus. In one embodiment, the 
PCI interface circuit 122A may implement the 66 MHz 
PCI specification version 2.2. The PCI interface circuit 
1 22A may be configurable to be the host bridge on the 
PCI bus. 

25 [0052] The HT interface circuit 1 22B may be a circuit 
for interfacing to the HT fabric. The HT interface circuit 
122B may be the host bridge on the HT fabric. 
[0053] The network interface circuits 122C-122E may 
each include Ethernet Media Access Controllers 

30 (MACs), in one embodiment. Thus, the network inter- 
face circuits 122C-122E may interface externally to the 
Media Independent Interface (Mil) or the Gigabit Mil 
(GMII) interface. Alternatively, the external interface 
may be a generic packet interface in which either the 

35 start or end of packets is flagged using control signals 
on the interface. In yet another alternative, the three net- 
work interface circuits 122C-122E may be operable as 
two wider packet interfaces (e.g. 16 bit interfaces, if the 
individual MII/GMII interfaces are 8 bits). The network 

40 interface circuits 122C-122E may be configurable (e.g. 
during reset) to operate the interface in any of the above 
modes. The network interface circuits 122C-122E may 
alternatively include the physical portion of the Ethernet 
interface and interface directly to an Ethernet physical 

45 medium (e.g. twisted pair, fiber optic, etc.). Still further 
other embodiments may support any network interface 
(e.g. X.25, Frame Relay, Asynchronous Transfer Mode 
(ATM), etc.). In one implementation, the network inter- 
face circuits 122C-122E may interface to the network 

50 ports shown in Figs. 1 and 2. The network interface cir- 
cuits 1 22C-1 22E may also be configured as the packet 
interfaces shown In Fig. 2. 

[0054] The serial interface circuits 122F-122G may 

support dual serial interfaces. The serial interfaces may 
55 be operated synchronously, and may also include a dual 
universal asynchronous receiver/transmitter (DUART) 
for dual asynchronous operation. The SMBus Interface 
circuit 122H supports the SMBus interface, and the PC- 
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MCIA interface circuit 1221 supports tfie PCI\yiCIA inter- 
face. Additionally, a generic bus and general purpose 1/ 
O may be supported (not shown). 
[0055] While a specific set of I/O interface circuits 
122A-122I are shown, other embodiments may use any 
subsets or supersets of the set shown. Furthermore, 
other embodiments may include any set of I/O interface 
circuits/devices, as desired. 

[0056] The bus 124 may be a split transaction bus, in 
one embodiment. The bus 1 24 may employ a distributed 

arbitration scheme, in one embodiment, In one embod- 
iment, the bus 124 may be pipelined. The bus 124 may 
employ any suitable signalling technique. For example, 
in one embodiment, differential signalling may be used 
for high speed signal transmission. Other embodiments 
may employ any other signalling technique (e.g. TTL, 
CMOS, GTL, HSTL, etc.). 

[0057] It is noted that the system 1 00 (and more par- 
ticularly the processors 112A-112B, the L2 cache 114, 
the memory controller 116, the I/O interface circuits 
1 22A-1 22 1 , the I/O bridges 1 20A-1 20B and the bus 1 24) 
may be integrated onto a single integrated circuit as a 
system on a chip configuration. Generally, one or more 
processors 112A-112B and any other components may 
be integrated to form an integrated processor. One em- 
bodiment of a system 1 00 integrated onto a single inte- 
grated circuit may be the BCM1250 available from 
Broadcom Corporation (Irvine, CA). In another configu- 
ration, the memory 26 may be integrated as well. Alter- 
natively, one or more of the components may be imple- 
mented as separate integrated circuits, or all compo- 
nents may be separate integrated circuits, as desired. 
Any level of integration may be used. 
[0058] It is noted that, while the illustrated embodi- 
ment employs a split transaction bus with separate ar- 
bitration for the address and data buses, other embod- 
iments may employ non-split transaction buses arbitrat- 
ed with a single arbitration for address and data and/or 
a split transaction bus in which the data bus is not ex- 
plicitly arbitrated. Either a central arbitration scheme or 
a distributed arbitration scheme may be used, according 
to design choice. Furthermore, bus 1 24 may not be pipe- 
lined, if desired. 

[0059] It is noted that, while Fig. 8 illustrates the I/O 
interface circuits 122A-122I coupled through the I/O 
bridges 1 20A-1 20B to the bus 1 24, other embodiments 
may include one or more I/O interface circuits directly 
coupled to the bus 124, if desired. 
[0060] While a shared bus is used in the present em- 
bodiment, any sort of interconnect may be used in other 
embodiments (e.g. crossbar connections, point to point 
connections in a ring, star, or any other topology, mesh- 
es, cubes, etc.). Generally, an interconnect is any sort 
of communication medium. 

[0061] Turning nowto Fig. 9, a block diagram illustrat- 
ing one embodiment of an encrypted IPv4 packet 130 
and an encrypted IPv6 packet 132 is shown. Other em- 
bodiments are possible and contemplated, in the illus- 



trated embodiment, the packets are encrypted using the 
ESP protocol specified in the IPsec standard. Other em- 
bodiments may use other encryption protocols/stand- 
ards. 

5 [0062] The packet 130 includes an IP header, an ESP 
header, a TCP header, data, an ESP trailer, and an ESP 
authentication trailer ("ESP Auth" in Fig. 9). The IP 
header may bethe standard I P header (including source 
and destination IP addresses, etc.). The ESP header 

10 may be a security header and may include, for example, 
the security parameters index (SPI) and the sequence 
number assigned to the packet, as described above. 
The TCP header may be the standard TCP header, and 
the data may be the data transmitted in the packet. The 

15 ESP trailer may include optional padding (wh ich may be 
used in certain encryption algorithms which encrypt 
fixed sized blocks, for example). The ESP trailer may 
also include the pad length and a next header field. Fi- 
nally, the ESP authentication field may include authen- 

20 tication data. For example, the authentication data may 
include an integrity check value (ICV) calculated over 
other fields of the packet. As illustrated underneath the 
packet 1 30 in Fig. 9, the TCP header, the data, and the 
ESP trailer may be encrypted fields in the packet 130. 

25 The ESP header, the TCP header, thedata, andthe ESP 
trailer may be authenticated by the ICV value in the ESP 
authentication field. 

[0063] The packet 132 includes the IP header, ESP 
header, TCP header, data, ESP trailer, and ESP authen- 

30 tication field, similar to the packet 130. However, the 
packet 132 also includes an optional extension header, 
and an optional destination options field (Dest. Opts, in 
Fig. 9) as specified in IPv6. As shown in Fig. 9, the ESP 
header follows the extension headers and may be be- 

35 fore the destination options header or after it. If the des- 
tination options header follows the ESP header, it is en- 
crypted along with the TCP header, the data, and the 
ESP trailer. If the destination options header follows the 
ESP header, it is authenticated along with the ESP 

40 header, the TCP header, the data, and the ESP trailer. 
[0064] The packets 130 and 132 shown in Fig. 9 are 
transport mode packets. The ESP protocol may also be 
used with tunnel mode packets. In tunnel mode packets, 
there is an "inner" IP header (after the ESP header but 

^5 before the TCP header) which includes the ultimate 
source and destination IP addresses which are being 
tunneled between the source IP address and the desti- 
nation IP address in the "outer" IP header (the header 
shown in Fig. 9). Accordingly, the inner IP header is en- 

50 crypted and authenticated. 

[0065] Numerous variations and modifications will be- 
come apparent to those skilled in the art once the above 
disclosure is fully appreciated. It is intended that the fol- 
lowing claims be interpreted to embrace all such varia- 

55 tions and modifications. 
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in the security association database and to transmit 
tine second unencrypted pacl<et and tlie second se- 
curity association to the security processor for en- 
cryption. 

5 

8. The apparatus as recited in clainn 7 wherein the sec- 
ond integrated processor is configured to receive a 
second encrypted pacl<et corresponding to the sec- 
ond unencrypted packet from the security proces- 

10 son and wherein the second integrated processor 
is configured to transmit the second encrypted 
pacl<et on the second interface to the first integrated 
processor for transmission on one of the network 
interfaces. 

15 

9. The apparatus as recited in any of claims 1-8 
wherein the network interfaces comprise Ethernet 
interfaces. 



Claims 

1. An apparatus comprising: 

a first integrated processor having one or more 
network interfaces for receiving packets and al- 
so having a second interface; 

a second integrated processor coupled to the 
second interface; and 

a security processor coupled to the second in- 
tegrated processor. 

2. The apparatus as recited in claim 1 wherein the first 
integrated processor is configured to process unen- 
crypted packets and to transmit encrypted packets 
to the second integrated processor for processing. 

3. The apparatus as recited in claim 2 further compris- 
ing a memory coupled to the second integrated 
processor, wherein the memory is configured to 
store one or more security databases during use. 

4. The apparatus as recited in claim 3 wherein the se- 
curity databases include a security association da- 
tabase storing security associations, wherein the 
second integrated processor is configured to lookup 
a first security association corresponding to a first 
encrypted packet in the security association data- 
base, and wherein the second integrated processor 
is configured to transmit the first encrypted packet 
and the first security association to the security 
processor for decryption. 

5. The apparatus as recited in claim 4 wherein the se- 
curity processor includes a security association 
cache configured to store security associations, 
and wherein the second integrated processor is 
configured to transmit an identifier of the first secu- 
rity association within the security association 
cache to the security processor instead of the first 
security association if the first security association 
is stored in the security association cache. 

6. The apparatus as recited in any of claims 4-5 
wherein the security processor is configured to 
transmit a first decrypted packet corresponding to 
the first encrypted packet to the second integrated 
processor, and wherein the second integrated proc- 
essor is configured to transmit the first decrypted 
packet on a third interface. 



20 10. The apparatus as recited in any of claims 1-9 
wherein the security processor is configured to per- 
form authentication processing on the packets. 

1 1 . A storage switch comprising: 

25 

at least one line card, each line card comprising 
the apparatus as recited in any of claims 1-1 0, 
wherein the network interfaces of the first inte- 
grated processor comprise interfaces of the line 
30 card; and 

at least one switch fabric card coupled to the at 
least one line card, wherein the switch fabric 
card is configured to route packets from the at 
35 least one line card and from one or more stor- 

age devices on a switch fabric. 

12. The storage switch as recited in claim 11 wherein 
the first integrated processor is configured to trans- 

40 mit processed packets through the second integrat- 
ed processor to the switch fabric. 

1 3. The storage switch as recited in any of claims 11-12 

wherein the second integrated processor is config- 
45 ured, in cooperation with the security processor, to 
decrypt encrypted packets and to transmit decrypt- 
ed packets on the switch fabric. 

14. The storage switch as recited in any of claims 11-13 
50 wherein the unencrypted packets and the encrypt- 
ed packets include commands to the storage devic- 
es. 



30 



7. The apparatus as recited in claim 6 wherein the sec- 
ond integrated processor is configured to receive a 55 
second unencrypted packet on the third interface, 
and wherein the second integrated processor is 
configured to lookup a second security association 



15. An apparatus comprising: 

a first system on a chip (SOC) including one or 
more network interface circuits, a second inter- 
face circuit, and at least a first processor, the 
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first processor programmed, during use, to 
process unencrypted pacl<ets received on the 
one or more network interface circuits and pro- 
grammed to detect encrypted pacl<ets received 
on the one or more network interface circuits 5 
and to route the encrypted packets to the sec- 
ond interface circuit; 

a second SOC including the second interface 
circuit coupled to the second interface circuit of io 
the first SOC, the second SOC including one or 
more network interface circuits configurable as 
a packet interface and at least a second proc- 
essor; and 

15 

a security processor coupled to the packet in- 
terface, wherein the second processor is pro- 
grammed, during use, to decrypt encrypted 
packets in cooperation with the security proc- 
essor. 20 



16. The apparatus as recited in claim 15 further com- 
prising a memory coupled to the second SOC, 
wherein the memory is configured to store one or 
more security databases during use. 25 

17. The apparatus as recited in claim 16 wherein the 
security databases include a security association 
database storing security associations, wherein the 
second processor is programmed, during use, to 30 
lookup a first security association corresponding to 

a first encrypted packet in the security association 
database, and wherein the second processor is pro- 
grammed, during use, to transmit the first encrypted 
packet and the first security association to the se- 35 
curity processor for decryption. 

18. The apparatus as recited in claim 17 wherein the 
security processor includes a security association 
cache configured to store security associations, 40 
and wherein the second processor is programmed, 
during use, to transmit an identifier of the first secu- 
rity association within the security association 
cache to the security processor instead of the first 
security association if the first security association 45 
is stored in the security association cache. 

19. The apparatus as recited in any of claims 17-18 
wherein the security processor is configured to 
transmit a first decrypted packet corresponding to so 
the first encrypted packet to the second SOC, and 
wherein the second SOC includes a second one or 
more network circuits configurable as a second 
packet interface, and wherein the second processor 

is programmed, during use, to transmit the first de- 55 
crypted packet on the second packet interface. 

20. The apparatus as recited in claim 19 wherein the 



second SOC is configured to receive a second un- 
encrypted packet on the second packet interface, 
and wherein the second processor is programmed, 
during use, to lookup a second security association 
in the security association database and to transmit 
the second unencrypted packet and the second se- 
curity association to the security processor for en- 
cryption. 

21. The apparatus as recited in claim 20 wherein the 

second SOC is configured to receive a second en- 
crypted packet corresponding to the second unen- 
crypted packet from the security processor, and 
wherein the second processor is programmed, dur- 
ing use, to transmit the second encrypted packet on 
the second interface to the first SOC for transmis- 
sion on one of the network interfaces. 

22. The apparatus as recited in any of claims 15-21 
wherein the network interface circuits are config- 
ured to communicate as Ethernet interfaces. 

23. The apparatus as recited in any of claims 15-22 
wherein the security processor is configured to per- 
form authentication processing on the packets. 
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